Slack Example Webhook
This page describes the elements necessary to create a Centrify webhook for Slack.
Create a webhook as described in Webhooks, configuring the elements of the endpoint as follows:
- Visit https://api.slack.com/incoming-webhooks for information on the URL to use.
- Use the HTTP method: POST.
- Set the content type to
application/json
. - Set the
enabled
state totrue
. - Set the
Trigger Event Type
toSecurityAlert
orAnalytics.Server.AdaptiveSessionRecording
. - Select the
Triggering Risk Level
(Required if SecurityAlert is selected). - Enter the payload that will be sent as the POST body. For example:
{
"attachments": [
{
"author_name" : "Centrify Analytics",
"author_link": "https://${tenant_id}-${system.podscape}.${system.domain}/analytics",
"author_icon": "https://${tenant_id}-${system.podscape}.${system.domain}/analytics/ui/favicons/favicon.png",
"title": "Security Alert from Centrify Analytics",
"color": "<#if intel_risk_level=='high'>danger<#else>warning</#if>",
"fields": [
{
"value": "<#if event_name=='Cloud.Core.MfaSummary'>Service Login<#elseif event_name?starts_with('Cloud.Saas.Application')>Launched ${app_name}<#elseif event_name?ends_with('PasswordExport')>Requested Infrastructure credential checkout<#elseif event_name?ends_with('SessionStart')>Requested Infrastructure login<#elseif event_name?ends_with('CpsTileLaunch')>Infrastructure resource access to ${app_name}<#else>${event_name}<#if action?has_content> for command ${action}</#if> on ${target_address}</#if>",
"short": false
},
{
"title": "Who",
"value": "${user_name}",
"short": true
},
{
"title": "When",
"value": "${utils.number_to_datetime_timezone(event_time, 'US/Pacific')}",
"short": true
},
{
"title": "Where",
"value": "<#if event_name?starts_with('Cloud')>${city}<#else>${target_address}</#if>",
"short": true
},
{
"title": "Operating System",
"value": "${os_type}",
"short": true
},
{
"title": "Risk Level",
"value": "${intel_risk_level?cap_first}",
"short": true
}
<#if reason?eval.text?has_content>
,
{
"title": "Reason",
"value": "${reason?eval.text}",
"short": true
}
</#if>
]
},
{
"title": "Investigate",
"color": "#3AA3E3",
"fallback": "Investigate at https://${tenant_id}-${system.podscape}.centrify.io/analytics",
"actions": [
{
"type": "button",
"text": "Analytics Portal",
"url": "<#if event_name?starts_with('Cloud')>https://${tenant_id}-${system.podscape}.${system.domain}/analytics/ui/#/explore?sql=(%22user_name%22%20IN%20('${user_name}'))&start=%24now-90days&end=%24now-0days&categoryval=behavior&drillview=Infrastructure%20Server%20Risk&ignoresession=truemy-kibble.centrify.io/analytics/ui/#/explore?sql=(%22user_name%22%20IN%20('${user_name}'))&start=%24now-90days&end=%24now-0days&categoryval=behavior&drillview=Category%20Alert&ignoresession=true<#else>https://${tenant_id}-${system.podscape}.${system.domain}/analytics/ui/#/explore?sql=(%22user_name%22%20IN%20('${user_name}'))&start=%24now-90days&end=%24now-0days&categoryval=behavior&drillview=Infrastructure%20Server%20Risk&ignoresession=true</#if>"
}
]
}
]
}
Updated almost 5 years ago